firefox

Aza Raskin, Mozilla Firefox creative lead, demonstrated through his blog a new phishing technique using the tabs of the browser instead of the traditional phishing techniques which generally lead a user directly to a malicious web page that impersonates a trusted page, such as an online banking login site, which can then harvest the user’s login information.

The new phishing technique, which makes use of morphing browser tabs to trick people into giving away login information. If the user leaves the page open in a browser tab and clicks to another tab, the malicious tab changes itself into a replica of the trusted site. It changes the title and the icon displayed on the tab, among other things, Raskin said. In the researcher’s demonstration, the page imitated is the Gmail login page.

The user then might click back onto the malicious tab, mistaking it for the trusted site.

The attack works on major browsers including Firefox, Internet Explorer and Google Chrome and in Firefox it can be partially blocked using NoScript add-on.

TÜV Trust IT using a special designed methodology tested the security functions of IE 8. More information can be found here (the page is in German). This validation comes one week after the annual Pwn2Own contest at the CanSecWest security show which took place in Vancouver where researchers demonstrated that they could hack a non-jailbroken iPhone, Safari running on Snow Leopard and Internet Explorer 8 and Firefox on Windows 7.

To hack IE 8, Peter Vreugdenhil (an independent security researcher from the Netherlands) said he exploited two vulnerabilities in a four-part attack that involved bypassing ASLR (Address Space Layout Randomization) and evading DEP (Date Execution Prevention), which are designed to help stop attacks on the browser.